Cybersecurity measures include firewalls, anti-virus software, intrusion detection and prevention systems, encryption, and login passwords.
[2] Recent research suggests there is also a lack of cyber-security regulation and enforcement in maritime businesses, including the digital connectivity between ships and ports.
[4] In 2011 the US DoD released a guidance called the Department of Defense Strategy for Operating in Cyberspace which articulated five goals: to treat cyberspace as an operational domain, to employ new defensive concepts to protect DoD networks and systems, to partner with other agencies and the private sector in pursuit of a "whole-of-government cybersecurity Strategy", to work with international allies in support of collective cybersecurity and to support the development of a cyber workforce capable of rapid technological innovation.
[3] For example, FISMA, which applies to every government agency, "requires the development and implementation of mandatory policies, principles, standards, and guidelines on information security."
Bruce Schneier, the founder of Cupertino's Counterpane Internet Security, argues that companies will not make sufficient investments in cybersecurity unless the government forces them to do so.
Congressmen have also proposed "expanding Gramm-Leach-Bliley to all industries that touch consumer financial information, including any firm that accepts payment by a credit card.
"[11] Congress has proposed cybersecurity regulations similar to California's Notice of Security Breach Act for companies that maintain personal information.
"[13] On May 12, 2011, US president Barack Obama proposed a package of cybersecurity legislative reforms to improve the security of US persons, the federal government, and critical infrastructure.
[18][19] According to The Washington Post, experts said that the failure to pass the act may leave the United States "vulnerable to widespread hacking or a serious cyberattack."
[23] Critics of the bill included the US Chamber of Commerce,[24] advocacy groups like the American Civil Liberties Union and the Electronic Frontier Foundation,[25] cybersecurity expert Jody Westby, and The Heritage Foundation, both of whom argued that although the government must act on cybersecurity, the bill was flawed in its approach and represented "too intrusive a federal role.
It seeks to improve existing public-private partnerships by enhancing timeliness of information flow between DHS and critical infrastructure companies.
It directs federal agencies to share cyber threat intelligence warnings to any private sector entity identified as a target.
It directs the development of a framework to reduce cyber risks, incorporating current industry best practices and voluntary standards.
Lastly, it tasks the federal agencies involved with incorporating privacy and civil liberties protections in line with Fair Information Practice Principles.
Another main effort that was emphasized in this proposal was to modernize the law enforcement authorities to make them more equipped to properly deal with cyber crimes by giving them the tools they need in order to do so.
The last major effort of the legislative proposal was to require businesses to report data breaching to consumers if their personal information had been sacrificed.
The third highlight of the plan is to give Americans knowledge on how they can secure their online accounts and avoid theft of their personal information through multi-factor authentication.
[11] In addition to regulation, the federal government has tried to improve cybersecurity by allocating more resources to research and collaborating with the private sector to write standards.
[30] However, the President's National Strategy clearly states that the purpose is to provide a framework for the owners of computer systems to improve their security rather than the government taking over and solving the problem.
In the United States, the US Congress is trying to make information more transparent after the Cyber Security Act of 2012, which would have created voluntary standards for protecting vital infrastructure, failed to pass through the Senate.
The focus of their operations are on three factors: ENISA is made up of a management board that relies on the support of the executive director and the Permanent Stakeholders Group.
Even if DSPs and OES outsource the maintenance of their information systems to third parties, the NIS Directive still holds them accountable for any security incidents.
[24] The member states of the EU are required to create a NIS directive strategy, which includes the CSIRTs, in addition to National Competent Authorities (NCAs) and Single Points of Contact (SPOCs).
[31] In addition, like in previous regulations, all data breaches that effect the rights and freedoms of individuals residing in the EU must be disclosed within 72 hours.
The Directive also aims to harmonise the EU approach to incident notifications, security requirements, supervisory measures and information sharing.
[34] DORA creates a regulatory framework on digital operational resilience whereby all firms need to make sure they can withstand, respond to and recover from all types of ICT-related disruptions and threats.
[35] The Cyber Resilience Act (CRA) is a regulation proposed on 15 September 2022 by the European Commission which outlines common cybersecurity standards for hardware and software products in the EU.
[33] Bruce Schneier also supports regulation that encourages software companies to write more secure code through economic incentives.
[34] US Representative Rick Boucher (D–VA) proposes improving cybersecurity by making software companies liable for security flaws in their code.
He states that "the private-sector must continue to be able to innovate and adapt in response to new attack methods in cyber space, and toward that end, we commend President Bush and the Congress for exercising regulatory restraint.